This page contains a list of some of the larger, more note-worthy feature changes to BoKS throughout the 7.x versions.  It is not a complete list.  For more complete and detailed information, please see the Release Notes and Administration Guide for a specific version.

Features added in BoKS 7.0

New Audit Logging Infrastructure
A completely new audit log server and logging infrastructure has been implemented to make logging more efficient and extensible. The implementation is based on the syslog standard. The program logadm has been replaced by bokslogadm and the program bkslog has been replaced by bokslogview.

Support is included for relaying logs from BoKS to an external syslog server.

New Format for Unix Groups
Unix groups in BoKS now have the format hostgroup|host:group, meaning that Unix groups are provisioned to the appropriate hosts when they are created. Group provisioning is no longer dependent on user membership before being provisioned.

Keystroke Log Transfer Mechanism
BoKS Manager 7.0 includes functions for direct transfer of keystroke log files from keystroke logged sessions so that if so configured no keystroke log files are stored on the local host. Keystroke log relay servers are installed on all Replicas and the Master.

You can configure per host and Host Group what relay servers are prioritized when keystroke logs are transferred over the network.

You can specify at an Access Routes level how log file transfer is handled and what fallback mechanisms are used, if any.

Keystroke logs now have a unique Log ID (LID) that allows them to be linked to audit log events that are related to the particular keystroke logged session.

Longer Default Key Length for Certificates
Certificates in user and host virtual cards, and CA certificates in BoKS now have a longer default length of 2048 bits for certificates and 4096 bits for CA certificates.

Items Moved to BoKS Database
Host pre-registration data and pre-registration types are now stored in the BoKS database rather than files. This is also the case for time zone information for hosts and the alarmlog label list.

Protocol Logging Now Activated at Install
The audit logging of SSH commands, SCP, SFTP and, on Linux, REXEC commands is activated when you install a new BoKS Master, but can be deactivated if required in the BoKS ENV file.

Host Group and User Class Name Size
The HOSTGROUP and USERCLASS fields in the BoKS database have been extended to 64 characters.

Features added in BoKS 7.1

Access Rule Enhancements
The BoKS access control mechanism has been enhanced, with BoKS Access Rules (the new name for Access Routes) managed using a new CLI program, boksrule.  Enhancements include:

  • Unique Access Rule ID that is included in audit log messages, showing exactly which rule granted access.
  • Ability to edit Access Rules without having to delete & recreate them.
  • Ability to set Access Rule start/end dates & times. Rules can be set for future activation and/or deactivation.
  • Expired Access Rules can be automatically deleted.
  • Ability to add a comment for access rules
  • Ability to copy Access Rules to another user or User Class

A new CLI program, boksrule, has been added for management of Access Rules for both users and User Classes. The programs ttyadmin and routeadm are still included and support the new enhancements in this version, however these programs are deprecated and may not be supported in future versions.

User Account Enhancements

The following user account enhancements are included:

  • Never expiring user accounts.
  • Never expiring passwords.
  • Timestamps added for manual block, account creation time, account modified time, and account blocked time.
  • Comment field for why a user was manually blocked.
  • Dot (.) now allowed by default in usernames.

Improved User Activity Tracking
The mechanism to determine a user's activity has been re-written. The new method has an 8-hour resolution. This minimizes replication traffic while still providing the ability to determine if an account is active and when it was last used. A user's activity date is updated any time one of the following authentications are successful:
(For methods where fromuser authentication is used, both the to- and from-user accounts are updated.)
suexec - from & to updated                            su - from & to updated
ssh_sh - user updated                                     ssh_exec - user updated
scp - user updated                                          telnet - user updated
rlogin - user updated                                       rsh - user updated
edit - from & to updated                                 bccas - user updated

lsbks Output Improved
The command "lsbks -a|f" now shows user creation, modification and last activity times by default.

IPv6 Support
Internal BoKS protocols have been updated to fully support IPv6.

BoKS Password Manager
The BoKS Password Manager product is now integrated into BoKS Manager and FCC. It is no longer an add-on product requiring separate installation and configuration.

Keystroke Logging for BoKS SSH Access
The SSH_SH access method can be configured to be keystroke logged. This enables you to record in forensic detail user activity in interactive SSH sessions. The logging occurs at the tty and is not dependent on the user's shell. Note that this is not supported for SSH rules with chroot specified.

Keystroke Log Encryption Lifecycle Management
Ability to renew the encrypted keystroke logging CA when required.

BoKS Non-Privileged Editor
A new function has been added that allows you to give users access to create, view and edit files on BoKS-protected hosts as another user without having their privileges elevated to the other user. The BoKS non-privileged editor ensures that users cannot escape to a shell as the to-user. Access is controlled using the new EDIT access method, and is run by end-users with the boksedit/boksview program.

BoKS Performance Enhancements

  • Speedup of clntd send bridge on Master
  • udsqd can support more than 1024 simultaneous connections from Server Agents
  • boks_master speedup of logout messages
  • boks_servc speedup of host cache lookup
  • Replica notifications sent to Master immediately
  • boks_drainmast read lock on database
  • Optional authentication caching
  • Replica load-balancing improved. Server Agents can now determine how busy a responding Replica is so they can better choose the most appropriate Replica.

BoKS AD Bridge Enhancements

  • One-to-many mapping from AD to BoKS accounts
  • Speedup of adsync (~factor of 5)
  • authadm calls boks_servc instead of boks_master to get all users with authenticators
  • Configuration to use iUPN or eUPN for BoKS Kerberos principal name

suexec Noexec Option
A new option for suexec Access Rules, suexec_noexec, can be used to prevent programs started by suexec from running system exec commands and thus executing other programs in turn.

FCC Improvements

  • Edit rules
  • Create similar rules from an existing one
  • Search fields are case-insensitive
  • Listing and searching of Access Rules
  • Change default shell for user creations
  • Change user's Host Group

Error Log Improvements
lserrlog output can now be presented on single lines ("lserrlog -m").

Stronger Default Certificates
Certificates created by the BoKS internal CA are now signed with SHA256.

Syslog Relay Improvements
The syslog relay now supports both TCP and UDP protocols.

OpenSSH Upgrade
OpenSSH build version upgraded to OpenSSH v7.3. Added support for SHA512 fingerprints.

Rename Objects
Nearly all objects in BoKS can now be renamed, rather than having to be deleted and recreated.

Features Added in BoKS 7.2

Authentication Improvements

  • Support added for RADIUS Authentication. 
  • Support added for Yubikey Authentication. Yubikey password tokens are supported as a secondary authentication method. 
  • Added support for use of StartTLS in ldap protocol for external LDAP authentication.
  • The Heimdal kerberos library used in previous BoKS versions has been replaced by MIT kerberos as this is considered a more widely-supported platform.

Functional Account Identification
Accounts now have a "functional account" flag. This flag can be set to make it easier to determine which accounts in the database are functional, as opposed to human. The setting can be modified and viewed with mkbks/modbks/lsbks, and through boks_bccasd.

Disable Password Hash Formats
Functionality is added so that any password hash format for user passwords can be allowed/disallowed. You can allow/disallow different sets of hashes for functional and non-functional accounts.  

Database Download Performance
Enhancements to database download operations are added with 2 new daemons for improved download speeds.

Host Last Activity
A LASTACTIVITY database field has been added for hosts which is updated once per day if the host is up. BoKS 7.2 Server Agents will make a call once per day if they are up so the field is updated. For older Server Agents the field is updated only if they make calls to servc. The command "hostadm -l -o N" lists hosts with LASTACTIVITY older than N days sorted with the most recent first with hostname and date, one per line. For hosts with no LASTACTIVITY set, it is listed as -. This also shows up in host listing ("hostadm -l") for BoKS hosts.

Hotfix Listing
The command "boksversion -h" can be used to list the hotfixes currently installed on the host.

lsbks Improvements

  • The command "lsbks -p" now lists user info in passwd format without including the password hash. The letter 'x' is printed in the password hash position of the output.
  • The command "lsbks -d <delimiter>" can be used to change the attribute delimiter to something other than newline so that all output for a user is printed on a single line.

Other CLI Improvements
For dumpbase, the option -t can now be used to dump multiple tables. The parameter is a comma-separated string of table numbers or names with no spaces allowed. Tables are dumped in the order specified.

A new CLI program has been added for managing external authentication server list, extauthadm. The extauthadm program supersedes ldapauthadm but ldapauthadm is still supported. extauthadm adds support for multiple types of authentication servers. Currently only type "ldap" is used but further server types will be added in future BoKS versions.

Conditional Processing of Client Requests
bridge_servc_r processing is now controlled by an ENV variable. You no longer have to comment servc out of the boksinit scripts in order to prevent serving Server Agent authentication/authorization requests. This is available for the Master and Replicas.

Force Client Update Retry
You can now use the command "boksdiag pushbatch ip-address [ip-address ...]" to force a re-send of batched client updates to given IP addresses instead of waiting for up to 30 minutes for it to happen.

Master/Replica Conversion Improvement
You do not have to enter the nodekey manually if you convert the Master to a Replica.

Password Improvements

  • The default maximum password length is now 72 (instead of 8).
  • Passwords can have up to 254 characters.
  • The password history max length of 20 is now enforced; it was previously documented but not enforced.
  • The password "look alike" check has been completely rewritten. See the documentation for the new options.

Solaris Improvements
The root account can now be defined as a role on Solaris hosts.

Object Comments
Most of the common objects in BoKS now have comment fields. Comments are available for hosts, Host Groups, Access Rules, User Classes, UNIX groups, host pre-registration items, password regex rules, and authenticators (per user).

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: August 28, 2019